Main Content

September 1, 2015

Authors

September 1, 2015

Digging a tunnel for a mile so that El Chapo could slip into the shaft through his shower and disappear from a high security Mexican prison is something you might expect a Hollywood screenwriter to come up with. Is it any more remarkable though than a cyber-criminal reaching all of the way around the world to try and slip into a bank’s or a customer of the bank’s computer system in order to initiate a wire transfer?

We live at a time when individuals and criminal gangs can reach across oceans and national boundaries to try and initiate unauthorized transfers

May 7, 2015

Authors

May 7, 2015

FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).

April 11, 2014

Authors

April 11, 2014

As cyber attacks against financial institutions have become more and more frequent, and the possibility of significant adverse consequences from a single attack have increased, financial institutions have been stepping up cyber security processes for some time. However, many institutions still grapple with the appropriate level of disclosure to shareholders regarding cyber security.

Cyber attacks can come from all directions and in all shapes and sizes—from the stolen employee laptop to a hacked computer system that allows fraudulent transfers from an account. Attacks where the criminals bypass both the computer systems of the bank and its customers and instead access

Connect

Subscribe

Related Sites

Subscribe to Email Updates

Please leave this field empty

Name

Email *

Select list(s): Immediately Daily Weekly

Check your inbox or spam folder to confirm your subscription.

Contact Us

As cyber attacks against financial institutions have become more and more frequent, and the possibility of significant adverse consequences from a single attack have increased, financial institutions have been stepping up cyber security processes for some time. However, many institutions still grapple with the appropriate level of disclosure to shareholders regarding cyber security.

Cyber attacks can come from all directions and in all shapes and sizes—from the stolen employee laptop to a hacked computer system that allows fraudulent transfers from an account. Attacks where the criminals bypass both the computer systems of the bank and its customers and instead access the systems of the bank’s outside service providers can also leave the bank at risk. Which of these attacks or potential attacks merit disclosure?

In October of 2011, the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2, which described disclosure obligations for cyber security risks and cyber incidents for public companies. While there is no explicit disclosure requirement regarding cyber security risks or incidents, the guidance from the SEC highlights areas that may require disclosure of cyber security risks or incidents, including:

Risk Factors – Like other operational and financial risks, the risk of a cyber incident should be disclosed if it is among the most significant factors that make an investment in the company speculative or risky. The disclosure should be specific to the company and sufficient to allow investors to appreciate the nature of the risk without compromising the company’s cyber security.

Management Discussion & Analysis – MD&A disclosure should include any known incident or risk or potential incident that represents “a material event, trend or uncertainty that is reasonably likely to have a material effect on the [company’s] results of operations, liquidity, or financial condition” or cause reported information not to be indicative of future results.

Description of Business – Disclosure should be provided where a cyber incident may affect products, services, relationships with customers or suppliers or the company’s competitive position.

Financial Statements– Financial statement disclosure may include material costs of an incident or incurred to prevent cyber incidents or mitigate damages, including incentives to maintain business relationships related to an incident.

Disclosure Control and Procedures – Cyber risks should be disclosed to the extent there is a risk to the company’s ability to record, process, summarize and report information required in SEC filings.

For banks and financial institutions that are not subject to the reporting requirements of the Securities Act of 1934, there are no applicable federal banking regulations that require disclosure to shareholders regarding cyber attacks or incidents. However, shareholder requests for information regarding cyber security from both private and public companies could become more common as banks, large and small, use more smart phones, tablets and other technology to deliver products and services and as cyber attacks become more frequent with increasing sophistication in techniques. In responding to such shareholder requests, companies should review and ensure that the shareholder request complies with applicable state corporate laws regarding shareholder inspection of corporate records. These statutes often require, generally, that a request for such information be made in good faith for a proper purpose that is reasonably relevant to a legitimate interest of the shareholder.

In the end, the key to good disclosure is first understanding the company’s “cyber business” and where the company’s risks lie. This includes understanding the company’s cyber risks from third party vendors and any contractual obligations to reimburse vendors for losses related to an attack on the vendor’s or other third party systems. Often, even when the company has cyber insurance, the policy will only cover incidents where the attack is on the bank’s systems, which may leave the bank holding the bag if an attack occurs indirectly through a vendor’s or customer’s systems. We recommend a review of such policies by counsel or an insurance professional to ensure a good understanding of the risks covered by the policies.

The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.